Thycotic’s Cyber Security Publication

10 Tips to Ensure your Privileged Accounts for IoT are Protected and Secured

May 10th, 2017

Welcome to the world of IoT (Internet of Things) where more and more devices get connected online by the minute, with approximately 9 billion devices connected today. Every day billions of employees power up their devices and connect to the internet to plug into their everyday world: check the news, receive and respond to emails, chat with colleagues, pay invoices, work, shop, listen to music, stream the news, and the list goes on and on.

The connected world has become a reality in business too. In the past few years, we have seen every new technology being introduced connected to the internet, collecting vast amounts of data, and sending it across the world to be analyzed. This includes health devices, car engines, power stations, wind turbines, transportation and supply chain components, financial metrics, CCTV, and even children’s toys.

The Industrial Internet has smart cities coming online with sensors and data monitoring for every move we make – for example, autonomous vehicles communicating with infrastructure like traffic lights, weather conditions, and road traffic to ensure the most efficient traffic flow. We have seen everything from payment systems, medical, energy and infrastructure systems all being connected and the data being continuously analyzed to improve the services these companies provide and to stay innovative.

The challenge with IoT is that industrial companies make systems typically prioritize for a long production life cycle, so devices last 7 to 20 years. This is typical in Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA), Sensors, and Programmable Logic Controllers (PLCs). But, when these systems are now connected to the internet, almost every scenario shows security has been sacrificed, because they are purposefully built to rarely need updates, and because their internet-connected security is usually only considered at the end of design, if at all.

Many IoT systems and devices being introduced today:

Run legacy operating systems, in some cases Windows 7 and even Windows XP

Have firmware with hard coded passwords

Use web Interfaces running over HTTP

Have security controls with very basic and simple PIN numbers, and no authentication integration

Have no encryption of data at rest or in transit

These choices may have of been fine in a completely air-gapped system where the perimeter could be controlled and tightened. However, with today’s cloud, mobile, and connectivity, protecting devices with these kinds of basic security vulnerabilities is an impossible task and these systems are being actively exposed to the public internet.

The lack of security by design means that the risks and threats against IoT devices and systems are high, and all companies considering deploying IoT should carefully consider the increased risks against the benefits.

Real world examples of cyber-attacks against IoT in the past few years include:

Texas Tornado Alarms being set off, causing panic across the city.

A German Steel mill blast furnace being damaged.

Ukraine Power Grid being taken off-line and impacting 86,000 homes.

Hospital devices hit with Ransomware, causing state of emergencies to be declared because the hospitals were unable to continue critical services.

Several things in common with all these devices are that they collect data, they communicate across the internet, and in most scenarios, they have credentials and passwords to protect their configuration or to communicate across networks.

How to Protect Today’s IoT Devices?

One of the most important tasks when deploying IoT and Smart devices is to ensure the default credentials and passwords are correctly configured, manage the privileged accounts to protect these devices, and ensure only authorized access is permitted. Using an enterprise-level privileged account management solution can ensure privileged accounts are discovered, protected, and controlled. Automation for managing each device’s privileged accounts is important to prevent these devices from being compromised, used to gain access to the broader network, or used to attack another target.

Joseph Carson

Joseph Carson has over 25 years' experience in enterprise security, is the author of "Privileged Account Management for Dummies" and "Cybersecurity for Dummies", and is a cyber security professional and ethical hacker. Joseph is a cyber security advisor to several governments, critical infrastructure, financial and transportation industries, speaking at conferences globally. Joseph serves as the Chief Security Scientist at Thycotic.